12 Steps Towards Securing Your Supply Chain
Many small and medium organisations are not protecting their data and devices against cyber-attacks, especially those that originate from supply chain attacks. A recent report showed that only 12% of organisations regularly review the risks posed from their immediate suppliers. While only one in twenty review the prospective risks from their wider supply chain.
Supply chain attacks are an emerging cyberthreat where cybercriminals target a business’ network by launching malware or ransomware through a third-party supplier. This allows attackers to gain access to valuable company data and devices. An example is an attacker taking control of a supplier’s email system. This would allow them to launch a phishing attack from a reputable account rather than from a random domain. Supply chain attacks pose a significant risk as modern business requires organisations to be so interconnected. For this reason, it is important that you understand the security risk posed by your supply chain.
A recent example of a supply chain attack was the SolarWinds breach. SolarWinds was subject to a cybersecurity attack that spread to 18,000 clients through a software update containing malicious code planted by hackers. The code allowed attackers to create a backdoor to clients’ data and devices helping them to plant additional Malware so they could snoop on other organisations. This complex attack went undetected for months and it is still unclear the scope of the breach.
Supply Chain Attacks are on the Rise
Supply chain attacks aren’t something that just happens to big business, you can be affected too! Guaranteeing the cyber-resilience of your supply chain is important as it is only as strong as its most vulnerable entity. Implementing good cybersecurity to protect your organisation is no longer enough without effective control and oversight of the security of your supply chain. Establishing control of this will assist you in identifying if your suppliers are adhering to their security responsibilities to help protect your organisation. The hard facts are that your organisation at some point will be affected by a supply chain attack.
Committing to these steps also helps contribute towards the bigger picture of future-proofing the UK’s digital economy. This is now a high priority for the UK government. In its recent ‘Call for Views’ they sought to understand how organisations currently manage their supply chain cyber risk. From this feedback, they hope to develop additional government support that will enable organisations to manage the cybersecurity of their supply chains better.
Acknowledging how challenging this can be, the National Cyber Security Centre (NCSC) has created a 12-step guide to help organisations secure their supply chain. While no strategy guarantees absolute protection it is a basis for working towards setting minimum security requirements when working with suppliers. Read on to discover how to gain and maintain control of your supply chain. We've also added some top tips from our tech expert James to help you implement the process within your organisation.
12 Steps Towards Creating a Secure Supply Chain
- Understand what data and devices need to be protected and why
- Know who your suppliers are and build an understanding of what their current security looks like
- Understand the security risk posed by your supply chain
James’ Top Tip - When understanding the risk posed by your supply chain use the same risk assessment process and scoring system that you use for your Health and Safety assessments.
- Communicate your security needs with your suppliers
- Set and communicate your minimum-security requirements to your suppliers
- Build security considerations into your contracting processes and require that your suppliers do the same
- Meet your own security responsibilities as a supplier and consumer
- Raise awareness of security within your supply chain
- Provide support for security incidents
James’ Top Tip - Initiating a conversation about the security of your supply chain with your suppliers can be seen as a daunting process. Many people ask us how they should approach this. We always recommend that you should be honest when you initiate the conversation with your supply chain. Be sure to tell your supplier that this is a new procedure for your organisation and that the process could be of benefit to both parties.
- Build assurance activities into your approach to managing your supply chain
James’ Top Tip - Assurance activities do not need to be complicated or expensive. You can show your commitment to securing your supply chain by adding the requirements to your existing contract. This can include evidence such as having obtained a Cyber Essentials certification.
- Encourage the continuous improvement of security within your supply chain
- Build trust with suppliers
James’ Top Tip - Treat this as a continuous project that you update every time a change happens with your suppliers that could affect the security of your supply chain.
For more information on building a cyber-resilient supply chain, the NCSC provides an in-depth guide here.
Don’t Fall Victim to a Supply Chain Attack!
Demonstrate your commitment to protecting the security of your supply chain by choosing NCI Technologies’ expert cybersecurity services. NCI Technologies is an experienced cybersecurity provider for both businesses and schools. Based in Penryn, we deliver expert IT support, telecoms, and cybersecurity solutions across Cornwall, Devon, and the South-West. Our cybersecurity services include fully managed PROsupport+ IT support, cloud backup and disaster recovery, Cyber Essentials accreditations, and cybersecurity awareness training. For support on creating a cyber secure supply chain contact our friendly sales team today.
Leave a comment below
Call Me Back
I would like to discuss NCI Services & Support